Configuring Mozilla Firefox using Group Policies

In this article I’ll try to describe the configuration management of modern Mozilla Firefox versions via Group Policies in a corporate environment (Microsoft Active Directory-based domain environment).

The Issues of Centralized Management of Firefox Settings

Earlier, it wasn’t too hard to manage Firefox settings in the corporate environment, since as any normal Windows application, all Firefox settings were stored in the registry. You could find or write the necessary GPO administrative templates to make it easier for administrators. (For example, Google has developed and is supporting a set of adm/admx templates for Chrome.) However, Mozilla decided to make it different, and now Firefox stores its settings in the files located in the user profile.

After digging in the Internet for a long time, I’ve found some “solutions” of this problem. But none of them is operational on different reasons. The common idea of these solutions is to create a GPO, make changes to the specific registry branch and then specify the necessary parameters in Firefox configuration files using a Visual Basic script. At the first glance, it is convenient and consistent, but … there is always a slight hitch. Mozilla developers change both the location of the configuration files and the names of these files, etc.

The method described in this article has been tested in modern Firefox versions (Firefox 43.0.2 and higher).

The Peculiarities of Firefox Management in the Domain Environment

There is a number of Firefox settings to be used both for preconfiguration and to disable or block something in a enterprise environment, where the users, as a rule, do not have the administrator privileges, and IT specialists have to determine, which browser settings are allowed to change and which settings are left preset and unchangeable in this environment.

This can, for example, include:

Import Wizard – Firefox runs this wizard at the first start to import the settings from other installed browsers. You would like to disable this wizard.

Automatic updates for Firefox – Options -> Advanced -> Update -> Firefox updates. Firefox is better to update centrally, but not separately for every user computer. Automatic updates for the extensions can be left, since they are stored in the user computer.

Default browser check – Options -> Advanced -> General – Always check to see if Firefox is the default browser on startup. If Microsoft Internet Explorer is selected as a default browser in the corporate environment, this check has to be disabled and the opportunity to make Firefox a default browser by a user has to be blocked.

At the first start, disable ‘Welcome to Firefox’ tab, as well as ‘Know your rights’ and ‘Improve Firefox’ notifications.

How to Manage and Lock Firefox Settings

Firefox can be configured with the default settings, which are locked for any new user profile. Thus, the settings will contain all necessary parameters. Mozilla has made it easier (I don’t think so!) to deploy Firefox with the preconfigured settings by means of adding some special files during the installation (or, for example, when a computer is connecting to the domain network). It is supposed, that Firefox is installed in the default folder:

%ProgramFiles%\Mozilla Firefox\browser\defaults\pref\all-settings.js

%ProgramFiles%\Mozilla Firefox\Mozilla.cfg

Then Firefox will be configured with the default settings and all necessary parameters will be locked.

Here we can determine and lock the specific Firefox settings. For instance, in the example below, the automatic update feature, “Welcome to Firefox” tab and “Know your rights” and “Improve Firefox” notifications are blocked. The last line prevents making Firefox a default browser.

Important:

All parameters in Mozilla.cfg has to be written starting from the second line. Don’t ask me why. For example, try to put a comment // in the first line.

The parameters and all settings are case-sensitive. If you make a mistake, Firefox won’t start.

A sample of Mozilla.cfg used in the real corporate environment is shown below.

Note. Pay attention to the fact that all parameters are determined with the help of pref. It means that the parameter will be set, but a user will be able to change it. To make the parameter unchangeable, use lockPref.

// Parameters keywords. // pref // sets the preference as if a user had set it, every time you start the browser. // So users can make changes, but they will be erased on restart. If you set a // particular preference this way, it shows up in about:config as “user set”. // defaultPref // is used to alter the default value, though users can set it normally and their // changes will be saved between sessions. If preferences are reset to default // through the GUI or some other method, this is what they will go back to. // Appears in about:config as “default”. // lockPref // is used to lock preferences so they cannot be changed through the GUI or about:config. // In many cases the GUI will change to reflect this, graying out or removing options. // Appears in about:config as “locked”. Some config items require lockPref to be set, // such as app.update.enabled. It will not work if it set with just pref. // clearPref // can be used to “blank” certain preferences. This can be useful e.g. to disable functions // that rely on comparing version numbers.

Other parameters to your taste can be selected at the Firefox page about:config

How to Copy Files Containing Firefox Settings to User Computers Using GPP

Then you have to copy these files to the computers of your users. To do it, create the rules of deleting/copying files using Group Policy preferences (GPP).

Note. The disadvantage of this method is the fact that if you have an x86 workstation, the folder C:\Program File (86) with the subfolder Mozilla Firefox (containing defaults\perf) will be additionally created. Of course, you can load your policy with the filters to detect the bitness of the installed OS, but … I’m too lazy. I’ll give it to you as the home task :-).

Important: Don’t forget to put your configuration files in the locations where Domain Computers could read them. At least two variants are possible:

You can locate your files in NETLOGON folder – but it is a mauvais ton : )

You can locate files in a network share and allow Domain Computers to read these files. I have to remind that it happens when starting the computer and logging on the domain, i. e. during the StartUp, when there is no user, start with the SYSTEM privileges

I have these files located in Firefox folder in the network share.

A couple of points:

The enforced policy is used, which is applied every time when a computer connects to the network.

Each time the files are deleted and then copied back again. Why? It is convenient for me. Nothing more.

That is almost all. We have configured the file Mozilla.cfg and copied it to the user computers. Now you can create your own Mozilla.cfg, determine your settings, and lock those settings you wouldn’t like to be changed by the users.